Six cybersecurity questions every CEO should ask

At Boston forum, Raytheon's top exec gives tips to start the cyber conversation

It wasn’t long ago that businesses still saw cybersecurity as a problem for the IT people to handle. But a wave of aggressive, sophisticated commercial cyberattacks has changed that way of thinking, and CEOs now know it’s up to them to ensure their companies are meeting the challenge head-on.

Behind every good cybersecurity strategy is good information about how the company works. And to get that information, CEOs must ask the right questions.

Raytheon, long a leader in government cybersecurity, is now protecting a growing number of networks in the commercial sector with services that include reverse-engineering of malware, incident response and forensic analysis.

The following is adapted from a September 2015 business forum where Raytheon Chairman and CEO Thomas A. Kennedy outlined those questions and explained why they matter.

How is the company managing risk?

Every business’ cyber strategy should start with an assessment of the problem. The National Institute of Standards and Technology has broken this down into five areas: identifying vulnerabilities; protecting critical infrastructure to limit the impact of an attack; monitoring for intrusions; developing a response plan and taking measures to recover lost data.

Is everybody on board?

Even the best cybersecurity strategy will fail if employees don’t follow it.

A CEO might think everything’s going fine – especially if there’s a strong Chief Information Security Officer in place. But that’s a dangerous assumption. CEOs should ask whether every department is required to follow the same policies. Many will find at least one sector of workers is exempt.

How secure are acquired companies?

When one company buys another, it performs does extensive due diligence on factors such as finances, workforce and liabilities.

That examination should extend to cybersecurity – evaluating networks, asking how the company monitors for intrusions, researching its history of breaches, and determining whether any of its intellectual property has been stolen.

How does the company protect personal information?

Encryption is the process of encoding data so only authorized users can read it – and it is vital to every aspect of a business.

CEOs should find out how extensively their company – and contractors – use encryption. A contractor who sets up a special website to provide services for employees, for example, poses an enormous risk if its encryption is inadequate.

How much Internet traffic data does the company keep?

When a business is attacked, the best course of action is to reverse-engineer the breach, identify the weakness in the system and fix it.

That forensic approach requires recording reams of data on the company's internet traffic. It's costly but worth the expense.

How does the company train employees?

Part of defending against cyberattacks is making sure employees don't unwittingly enable them. Some companies even test their workers by sending emails that contain fake malware attacks. Anybody who opens them is shut off from the network for the day and required to report to HR.

That’s an extreme example, but it shows the importance of adopting smart cybersecurity practices in every aspect of the business – not just for the IT systems, but for the products the company delivers to the world